This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex-
Advisor
Advisor
‎2023-08-24 01:51 AM
Jump to solution

Enabling Anti-Phishing on R81.20 VSX without Internet interface

VSX R81.20 T24

I'm looking for the best way to et-up Anti-Phishing on VS's doing HTTPS Inspection but don't have a public interface, this is done by an upstream system.

Zero Phishing In-Browser protection is not working for HTTP sites (checkpoint.com) mentions that it's best practice to use a public IP for the FQDN, even if it's a dummy one and assign it to a disconnected interface.

Now the issue with VSX is that assigning an IP to a discrete disconnected interface will cause this IP to be monitored and the VS will go from Active/Standby to Active/Down.

Is it then recommended to still enable the interface and create a connectivity between the VSX cluster members for that IP.

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Authority
Authority
‎2023-08-24 05:44 AM
Jump to solution

We had a similar use case in the past, need of a dummy interface. We  solved this with a new VLAN interface on an existing BOND. To get the interface up you have to configure the connected switchports with the same VLAN-ID, because they are monitored as you wrote. Normally only first and last VLAN on a trunk are monitored, you could use one in between without to be monitored . But for troubleshooting and some other interaction it's better to configure this like a normal, including the switch.

If you can't use a VLAN you can use a new physical interface but you have to connect these to a switch to get the link up or if only two gateways are used via a direct attached cable.

View solution in original post

4 Replies
G_W_Albrecht
Legend
Legend
‎2023-08-24 03:33 AM
Jump to solution

I would strongly suggest to contact TAC !

CCSE CCTE CCSM SMB Specialist
0 Kudos
Wolfgang
Authority
Authority
‎2023-08-24 05:44 AM
Jump to solution

We had a similar use case in the past, need of a dummy interface. We  solved this with a new VLAN interface on an existing BOND. To get the interface up you have to configure the connected switchports with the same VLAN-ID, because they are monitored as you wrote. Normally only first and last VLAN on a trunk are monitored, you could use one in between without to be monitored . But for troubleshooting and some other interaction it's better to configure this like a normal, including the switch.

If you can't use a VLAN you can use a new physical interface but you have to connect these to a switch to get the link up or if only two gateways are used via a direct attached cable.

Alex-
Advisor
Advisor
‎2023-08-24 09:21 AM
In response to Wolfgang
Jump to solution

That's very correct, I used this method in the past for so-called loopbacks. The issue here is that  dummy public IP is required. Since it will be up if either connected with a port or bond VLAN, it will be redistributed in dynamic routing and will then require specific routemaps where we used a generic redistribute to announce connected networks. Also, I understand in the case of multiple VS we'll need on top of that to configure a dummy public IP and FQDN for each one. Not sure the customers will find this elegant.

0 Kudos
Wolfgang
Authority
Authority
‎2023-08-24 11:43 AM
In response to Alex-
Jump to solution

I don‘t know your specific requirements. But as an idea….. you can create a new virtual firewall with the dummy public IP and a very simple policy (your AntiPhishing). Your outgoing traffic can be routed through these new system from the other VSs ?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events